Administration
Audit of PBGC’s FY 2019 Compliance with the Federal Information Security Modernization Act of 2014 (AUD-2020-05), issued December 20, 2019
We contracted with CliftonLarsonAllen LLP, an independent public accounting firm, to perform an evaluation of PBGC’s information security program as required by FISMA. Our independent public accountants concluded PBGC’s security program, as in the prior year, fell below the specified threshold of effectiveness, Managed and Measurable (Level 4). PBGC’s information security program achieved an overall Consistently Implemented (Level 3) maturity level. However, CLA did note areas of improvement in the Security Training and Information Security Continuous Monitoring domains – each moving up one level. In addition, two functional areas, Detect and Respond, were found to meet the Managed and Measurable (Level 4) maturity level. CLA also concluded that PBGC’s implementation of a subset of selected controls for selected information systems was not fully effective to ensure the confidentiality, integrity, and availability of the Corporation’s information and information systems, potentially exposing them to unauthorized access, use, disclosure, disruption, modification, or destruction. Consequently, CLA noted weaknesses in 5 of the 8 Inspector General FISMA Metric Domains and have made a total of 8 new, and 20 repeated recommendations to assist PBGC in strengthening its information security program. Two were issued in the Financial Statements audit report and six are issued in this report. PBGC agreed with the six new recommendations in this report and previously agreed with the two recommendations in the Financial Statements audit report.
